JDK-8180819 No installed provider supports this key: sun.security.pkcs.PKCS8Key

Mon, 13 Nov 2017 11:22:41 -0800 

Hi,
have just stumbled upon a quite strange behavior in a SSL connection with a client certificate. It looks like something introduced between JDK 8u111 and JDK 8u121; JDK9 (all Oracle) and OpenJDK 8u151 are affected as well. There is already a ticket for this (JDK-8180819) but this has been closed due to no response from the original reporter. 

This is the exception (with 8u121):


Exception in thread "main" com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport 
error: javax.net.ssl.SSLHandshakeException: Error signing certificate verify
    at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:117)
    at 
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:208)
    at 
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:130)
    at 
com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:124)

    at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Fiber.java:1121)
    at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Fiber.java:1035)
    at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Fiber.java:1004)
    at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Fiber.java:862)
    at com.sun.xml.internal.ws.client.Stub.process(Stub.java:448)
    at com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(SEIStub.java:178)
    at 
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:93)
    at 
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
    at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
Caused by: javax.net.ssl.SSLHandshakeException: Error signing certificate verify
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at 
sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1113)
    at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)

    at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

    at 
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316)
    at 
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291)

    at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
    at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:104)

    ... 14 more

Caused by: java.security.InvalidKeyException: No installed provider supports this key: 
sun.security.pkcs.PKCS8Key

    at java.security.Signature$Delegate.chooseProvider(Signature.java:1135)
    at java.security.Signature$Delegate.engineInitSign(Signature.java:1185)
    at java.security.Signature.initSign(Signature.java:550)
    at 
sun.security.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1587)
    at 
sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1110)
    ... 27 more



When using PKCS12 instead of JKS for the identity keystore, the trace is different (this trace is 
from a JDK 8u151):



Exception in thread "main" com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport 
error: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing 
implementation (algorithm: Default, provider: SunJSSE, class: 
sun.security.ssl.SSLContextImpl$DefaultSSLContext)
        at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:117)
        at 
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:208)
        at 
com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:130)
        at 
com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:124)

        at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Fiber.java:1121)
        at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Fiber.java:1035)
        at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Fiber.java:1004)
        at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Fiber.java:862)
        at com.sun.xml.internal.ws.client.Stub.process(Stub.java:448)
        at 
com.sun.xml.internal.ws.client.sei.SEIStub.doProcess(SEIStub.java:178)
        at 
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:93)
        at 
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
        at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)

Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing 
implementation (algorithm: Default, provider: SunJSSE, class: 
sun.security.ssl.SSLContextImpl$DefaultSSLContext)

        at 
javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:248)
        at 
javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:255)
        at 
sun.net.www.protocol.https.HttpsClient.createSocket(HttpsClient.java:405)
        at sun.net.NetworkClient.doConnect(NetworkClient.java:162)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:463)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:558)
        at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
        at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)

        at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)

        at 
sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1199)
        at 
sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1050)

        at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)

        at 
sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
        at 
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)

        at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
        at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:104)

        ... 14 more

Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: 
Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

        at java.security.Provider$Service.newInstance(Provider.java:1617)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
        at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
        at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
        at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
        at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122)
        at 
javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:332)
        at javax.net.ssl.HttpsURLConnection.<init>(HttpsURLConnection.java:289)
        at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.<init>(HttpsURLConnectionImpl.java:94)
        at sun.net.www.protocol.https.Handler.openConnection(Handler.java:62)
        at java.net.URL.openConnection(URL.java:1028)
        at 
com.sun.xml.internal.ws.api.EndpointAddress.openConnection(EndpointAddress.java:217)

        at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.createHttpConnection(HttpClientTransport.java:242)
        at 
com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:101)

        ... 14 more

Caused by: java.security.UnrecoverableKeyException: Get Key failed: 
java.security.InvalidKeyException: Invalid RSA private key

        at 
sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:435)
        at 
sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
        at 
sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
        at java.security.KeyStore.getKey(KeyStore.java:1023)
        at 
sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
        at 
sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
        at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)

        at 
sun.security.ssl.SSLContextImpl$DefaultManagersHolder.getKeyManagers(SSLContextImpl.java:873)

        at 
sun.security.ssl.SSLContextImpl$DefaultManagersHolder.<clinit>(SSLContextImpl.java:758)
        at 
sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:913)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

        at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.security.Provider$Service.newInstance(Provider.java:1595)
        ... 27 more

Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid 
RSA private key

        at 
sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:217)
        at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
        at 
sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:399)
        ... 41 more
Caused by: java.security.InvalidKeyException: Invalid RSA private key
        at 
sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:214)
        at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:343)
        at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:357)
        at 
sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:91)
        at 
sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:75)
        at 
sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:316)
        at 
sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:213)
        ... 43 more
Caused by: java.io.IOException: DerInputStream.getLength(): Redundant length 
bytes found
        at sun.security.util.DerInputStream.getLength(DerInputStream.java:606)
        at sun.security.util.DerInputStream.getLength(DerInputStream.java:569)
        at 
sun.security.util.DerInputStream.getPositiveBigInteger(DerInputStream.java:220)
        at 
sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:205)
        ... 49 more


The keystores as JKS and PKCS#12 have been verified to be working with Java 8u60, so they seem to be 
fine. Activating unlimited jurisdiction does not solve the problem. Restricting the client to TLSv1 
or TLSv1.1 (via jdk.tls.client.protocols) has not changed behavior. While the client is under my 
control, the server isn't. There are no client properties for SSL set except truststore and keystore.



I need to discuss with my client whether I can share -Djavax.net.debug=ssl, but before I do this: Is 
this list the right place to work on this and is someone willing to approach this issue?


Regards,

Florian
























					Reply via email to